Examples with TestOIDCEndpointsApplicationResource org.keycloak.testsuite.client.resources.TestOIDCEndpointsApplicationResource used on opensource projects

Search in sources :

Example 31 with TestOIDCEndpointsApplicationResource

use of org.keycloak.testsuite.client.resources.TestOIDCEndpointsApplicationResource in project keycloak by keycloak.

the class FAPI1Test method testFAPIAdvancedLoginWithPrivateKeyJWT.

@Test
public void testFAPIAdvancedLoginWithPrivateKeyJWT() throws Exception {
    // Set "advanced" policy
    setupPolicyFAPIAdvancedForAllClient();
    // Register client with private-key-jwt
    String clientUUID = createClientByAdmin("foo", (ClientRepresentation clientRep) -> {
        clientRep.setClientAuthenticatorType(JWTClientAuthenticator.PROVIDER_ID);
        clientRep.setImplicitFlowEnabled(true);
        OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setRequestUris(Collections.singletonList(TestApplicationResourceUrls.clientRequestUri()));
    });
    ClientResource clientResource = adminClient.realm(REALM_NAME).clients().get(clientUUID);
    ClientRepresentation client = clientResource.toRepresentation();
    assertEquals(JWTClientAuthenticator.PROVIDER_ID, client.getClientAuthenticatorType());
    // Check nonce and redirectUri
    oauth.clientId("foo");
    checkNonceAndStateForCurrentClientDuringLogin();
    checkRedirectUriForCurrentClientDuringLogin();
    // Check login request object required
    oauth.openLoginForm();
    assertRedirectedToClientWithError(OAuthErrorException.INVALID_REQUEST, false, "Missing parameter: 'request' or 'request_uri'");
    // Create request without 'nbf' . Should fail in FAPI1 advanced client policy
    TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject requestObject = createValidRequestObjectForSecureRequestObjectExecutor("foo");
    requestObject.nbf(null);
    registerRequestObject(requestObject, "foo", org.keycloak.jose.jws.Algorithm.PS256, true);
    oauth.openLoginForm();
    assertRedirectedToClientWithError(OAuthErrorException.INVALID_REQUEST_URI, false, "Missing parameter in the 'request' object: nbf");
    // Create valid request object - more extensive testing of 'request' object is in ClientPoliciesTest.testSecureRequestObjectExecutor()
    requestObject = createValidRequestObjectForSecureRequestObjectExecutor("foo");
    // Nonce from method "checkNonceAndStateForCurrentClientDuringLogin()"
    requestObject.setNonce("123456");
    registerRequestObject(requestObject, "foo", org.keycloak.jose.jws.Algorithm.PS256, true);
    // Check response type
    oauth.openLoginForm();
    assertRedirectedToClientWithError(OAuthErrorException.INVALID_REQUEST, false, "invalid response_type");
    // Add the response_Type including token. Should fail
    oauth.responseType(OIDCResponseType.CODE + " " + OIDCResponseType.ID_TOKEN + " " + OIDCResponseType.TOKEN);
    requestObject.setResponseType(OIDCResponseType.CODE + " " + OIDCResponseType.ID_TOKEN + " " + OIDCResponseType.TOKEN);
    registerRequestObject(requestObject, "foo", org.keycloak.jose.jws.Algorithm.PS256, true);
    oauth.openLoginForm();
    assertRedirectedToClientWithError(OAuthErrorException.INVALID_REQUEST, true, "invalid response_type");
    // Set correct response_type for FAPI 1 Advanced
    oauth.responseType(OIDCResponseType.CODE + " " + OIDCResponseType.ID_TOKEN);
    requestObject.setResponseType(OIDCResponseType.CODE + " " + OIDCResponseType.ID_TOKEN);
    registerRequestObject(requestObject, "foo", org.keycloak.jose.jws.Algorithm.PS256, true);
    oauth.openLoginForm();
    loginPage.assertCurrent();
    // Get keys of client. Will be used for client authentication and signing of request object
    TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints();
    Map<String, String> generatedKeys = oidcClientEndpointsResource.getKeysAsBase64();
    KeyPair keyPair = getKeyPairFromGeneratedBase64(generatedKeys, Algorithm.PS256);
    PrivateKey privateKey = keyPair.getPrivate();
    PublicKey publicKey = keyPair.getPublic();
    String code = loginUserAndGetCode("foo", true);
    // Check token not present in the AuthorizationResponse. Check ID Token present, but used as detached signature
    Assert.assertNull(getParameterFromUrl(OAuth2Constants.ACCESS_TOKEN, true));
    String idTokenParam = getParameterFromUrl(OAuth2Constants.ID_TOKEN, true);
    assertIDTokenAsDetachedSignature(idTokenParam, code);
    // Check HoK required
    String signedJwt = createSignedRequestToken("foo", privateKey, publicKey, org.keycloak.crypto.Algorithm.PS256);
    OAuthClient.AccessTokenResponse tokenResponse = doAccessTokenRequestWithClientSignedJWT(code, signedJwt, null, DefaultHttpClient::new);
    Assert.assertEquals(OAuthErrorException.INVALID_GRANT, tokenResponse.getError());
    Assert.assertEquals("Client Certification missing for MTLS HoK Token Binding", tokenResponse.getErrorDescription());
    // Login with private-key-jwt client authentication and MTLS added to HttpClient. TokenRequest should be successful now
    oauth.openLoginForm();
    code = oauth.getCurrentFragment().get(OAuth2Constants.CODE);
    Assert.assertNotNull(code);
    String signedJwt2 = createSignedRequestToken("foo", privateKey, publicKey, org.keycloak.crypto.Algorithm.PS256);
    tokenResponse = doAccessTokenRequestWithClientSignedJWT(code, signedJwt2, null, () -> MutualTLSUtils.newCloseableHttpClientWithDefaultKeyStoreAndTrustStore());
    assertSuccessfulTokenResponse(tokenResponse);
    AccessToken accessToken = oauth.verifyToken(tokenResponse.getAccessToken());
    Assert.assertNotNull(accessToken.getCertConf().getCertThumbprint());
    // Logout and remove consent of the user for next logins
    logoutUserAndRevokeConsent("foo");
}
Also used : KeyPair(java.security.KeyPair) PrivateKey(java.security.PrivateKey) TestOIDCEndpointsApplicationResource(org.keycloak.testsuite.client.resources.TestOIDCEndpointsApplicationResource) OAuthClient(org.keycloak.testsuite.util.OAuthClient) PublicKey(java.security.PublicKey) DefaultHttpClient(org.apache.http.impl.client.DefaultHttpClient) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) AccessToken(org.keycloak.representations.AccessToken) ClientResource(org.keycloak.admin.client.resource.ClientResource) TestingOIDCEndpointsApplicationResource(org.keycloak.testsuite.rest.resource.TestingOIDCEndpointsApplicationResource) Test(org.junit.Test)

Example 32 with TestOIDCEndpointsApplicationResource

use of org.keycloak.testsuite.client.resources.TestOIDCEndpointsApplicationResource in project keycloak by keycloak.

the class OIDCAdvancedRequestParamsTest method requestObjectRequiredAsRequestUriParamProvidedInRequestParam.

@Test
public void requestObjectRequiredAsRequestUriParamProvidedInRequestParam() throws Exception {
    oauth.stateParamHardcoded("mystate2");
    // Set request object not required for client
    ClientResource clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app");
    ClientRepresentation clientRep = clientResource.toRepresentation();
    OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setRequestObjectRequired(OIDCConfigAttributes.REQUEST_OBJECT_REQUIRED_REQUEST_URI);
    clientResource.update(clientRep);
    // Set up a request object
    TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints();
    oidcClientEndpointsResource.setOIDCRequest("test", "test-app", oauth.getRedirectUri(), "10", Algorithm.none.toString());
    // Send request object in "request" param
    oauth.request(oidcClientEndpointsResource.getOIDCRequest());
    // Assert that the request is not accepted
    oauth.openLoginForm();
    Assert.assertTrue(errorPage.isCurrent());
    assertEquals("Invalid Request", errorPage.getError());
    // Revert requiring request object for client
    OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setRequestObjectRequired(null);
    clientResource.update(clientRep);
}
Also used : TestOIDCEndpointsApplicationResource(org.keycloak.testsuite.client.resources.TestOIDCEndpointsApplicationResource) ClientResource(org.keycloak.admin.client.resource.ClientResource) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) AbstractAdminTest(org.keycloak.testsuite.admin.AbstractAdminTest) Test(org.junit.Test) AbstractTestRealmKeycloakTest(org.keycloak.testsuite.AbstractTestRealmKeycloakTest)

Example 33 with TestOIDCEndpointsApplicationResource

use of org.keycloak.testsuite.client.resources.TestOIDCEndpointsApplicationResource in project keycloak by keycloak.

the class OIDCAdvancedRequestParamsTest method requestUriParamSignedIn.

private void requestUriParamSignedIn(Algorithm expectedAlgorithm, Algorithm actualAlgorithm) throws Exception {
    ClientResource clientResource = null;
    ClientRepresentation clientRep = null;
    try {
        String validRedirectUri = oauth.getRedirectUri();
        TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints();
        // Set required signature for request_uri
        clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app");
        clientRep = clientResource.toRepresentation();
        OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setRequestObjectSignatureAlg(expectedAlgorithm);
        clientResource.update(clientRep);
        // generate and register client keypair
        if (Algorithm.none != actualAlgorithm)
            oidcClientEndpointsResource.generateKeys(actualAlgorithm.name());
        // register request object
        oidcClientEndpointsResource.setOIDCRequest("test", "test-app", validRedirectUri, "10", "mystate3", actualAlgorithm.name());
        // use and set jwks_url
        clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app");
        clientRep = clientResource.toRepresentation();
        OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setUseJwksUrl(true);
        String jwksUrl = TestApplicationResourceUrls.clientJwksUri();
        OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setJwksUrl(jwksUrl);
        clientResource.update(clientRep);
        // set time offset, so that new keys are downloaded
        setTimeOffset(20);
        oauth.requestUri(TestApplicationResourceUrls.clientRequestUri());
        if (expectedAlgorithm == null || expectedAlgorithm == actualAlgorithm) {
            // Check signed request_uri will pass
            OAuthClient.AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password");
            Assert.assertNotNull(response.getCode());
            Assert.assertEquals("mystate3", response.getState());
            assertTrue(appPage.isCurrent());
        } else {
            // Verify signed request_uri will fail due to failed signature validation
            oauth.openLoginForm();
            Assert.assertTrue(errorPage.isCurrent());
            assertEquals("Invalid Request", errorPage.getError());
        }
    } finally {
        // Revert requiring signature for client
        OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setRequestObjectSignatureAlg(null);
        // Revert jwks_url settings
        OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setUseJwksUrl(false);
        OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setJwksUrl(null);
        clientResource.update(clientRep);
    }
}
Also used : TestOIDCEndpointsApplicationResource(org.keycloak.testsuite.client.resources.TestOIDCEndpointsApplicationResource) OAuthClient(org.keycloak.testsuite.util.OAuthClient) ClientResource(org.keycloak.admin.client.resource.ClientResource) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation)

Example 34 with TestOIDCEndpointsApplicationResource

use of org.keycloak.testsuite.client.resources.TestOIDCEndpointsApplicationResource in project keycloak by keycloak.

the class OIDCAdvancedRequestParamsTest method requestObjectRequiredAsRequestUriParamProvidedInRequestUriParam.

@Test
public void requestObjectRequiredAsRequestUriParamProvidedInRequestUriParam() throws Exception {
    oauth.stateParamHardcoded("mystate2");
    // Set request object not required for client
    ClientResource clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app");
    ClientRepresentation clientRep = clientResource.toRepresentation();
    OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setRequestObjectRequired(OIDCConfigAttributes.REQUEST_OBJECT_REQUIRED_REQUEST_URI);
    clientResource.update(clientRep);
    // Set up a request object
    TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints();
    oidcClientEndpointsResource.setOIDCRequest("test", "test-app", oauth.getRedirectUri(), "10", "mystate2", Algorithm.none.toString());
    // Send request object reference in "request_uri" param
    oauth.requestUri(TestApplicationResourceUrls.clientRequestUri());
    // Assert that the request is accepted
    OAuthClient.AuthorizationEndpointResponse response1 = oauth.doLogin("test-user@localhost", "password");
    Assert.assertNotNull(response1.getCode());
    Assert.assertEquals("mystate2", response1.getState());
    assertTrue(appPage.isCurrent());
    // Revert requiring request object for client
    OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setRequestObjectRequired(null);
    clientResource.update(clientRep);
}
Also used : TestOIDCEndpointsApplicationResource(org.keycloak.testsuite.client.resources.TestOIDCEndpointsApplicationResource) OAuthClient(org.keycloak.testsuite.util.OAuthClient) ClientResource(org.keycloak.admin.client.resource.ClientResource) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) AbstractAdminTest(org.keycloak.testsuite.admin.AbstractAdminTest) Test(org.junit.Test) AbstractTestRealmKeycloakTest(org.keycloak.testsuite.AbstractTestRealmKeycloakTest)

Example 35 with TestOIDCEndpointsApplicationResource

use of org.keycloak.testsuite.client.resources.TestOIDCEndpointsApplicationResource in project keycloak by keycloak.

the class OIDCAdvancedRequestParamsTest method requestObjectNotRequiredProvidedInRequestUriParam.

@Test
public void requestObjectNotRequiredProvidedInRequestUriParam() throws Exception {
    oauth.stateParamHardcoded("mystate2");
    // Set request object not required for client
    ClientResource clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app");
    ClientRepresentation clientRep = clientResource.toRepresentation();
    OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setRequestObjectRequired(null);
    clientResource.update(clientRep);
    // Set up a request object
    TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints();
    oidcClientEndpointsResource.setOIDCRequest("test", "test-app", oauth.getRedirectUri(), "10", "mystate2", Algorithm.none.toString());
    // Send request object reference in "request_uri" param
    oauth.requestUri(TestApplicationResourceUrls.clientRequestUri());
    // Assert that the request is accepted
    OAuthClient.AuthorizationEndpointResponse response2 = oauth.doLogin("test-user@localhost", "password");
    Assert.assertNotNull(response2.getCode());
    Assert.assertEquals("mystate2", response2.getState());
    assertTrue(appPage.isCurrent());
}
Also used : TestOIDCEndpointsApplicationResource(org.keycloak.testsuite.client.resources.TestOIDCEndpointsApplicationResource) OAuthClient(org.keycloak.testsuite.util.OAuthClient) ClientResource(org.keycloak.admin.client.resource.ClientResource) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) AbstractAdminTest(org.keycloak.testsuite.admin.AbstractAdminTest) Test(org.junit.Test) AbstractTestRealmKeycloakTest(org.keycloak.testsuite.AbstractTestRealmKeycloakTest)

Aggregations

TestOIDCEndpointsApplicationResource (org.keycloak.testsuite.client.resources.TestOIDCEndpointsApplicationResource)48 Test (org.junit.Test)33 ClientResource (org.keycloak.admin.client.resource.ClientResource)28 ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)27 OIDCClientRepresentation (org.keycloak.representations.oidc.OIDCClientRepresentation)22 OAuthClient (org.keycloak.testsuite.util.OAuthClient)21 AbstractTestRealmKeycloakTest (org.keycloak.testsuite.AbstractTestRealmKeycloakTest)14 AbstractAdminTest (org.keycloak.testsuite.admin.AbstractAdminTest)13 KeyPair (java.security.KeyPair)6 ArrayList (java.util.ArrayList)6 Matchers.containsString (org.hamcrest.Matchers.containsString)6 TestingOIDCEndpointsApplicationResource (org.keycloak.testsuite.rest.resource.TestingOIDCEndpointsApplicationResource)6 PrivateKey (java.security.PrivateKey)5 TestAuthenticationChannelRequest (org.keycloak.testsuite.rest.representation.TestAuthenticationChannelRequest)5 JSONWebKeySet (org.keycloak.jose.jwk.JSONWebKeySet)4 IDToken (org.keycloak.representations.IDToken)4 AbstractClientPoliciesTest (org.keycloak.testsuite.client.AbstractClientPoliciesTest)4 ParResponse (org.keycloak.testsuite.util.OAuthClient.ParResponse)4 PublicKey (java.security.PublicKey)3 AuthenticationRequestAcknowledgement (org.keycloak.testsuite.util.OAuthClient.AuthenticationRequestAcknowledgement)3
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial